formbook | 2e919dbaca46898116a0aa387553a54f4711aea584ea9931e6ea49d89e8986b8

General

Target

file.exe
Size

271KB
MD5

e3a576fda3253b1f5e57734e1d1d30ec
SHA1

4da98990e681a5c9ea026960ca0150582088173d
SHA256

2e919dbaca46898116a0aa387553a54f4711aea584ea9931e6ea49d89e8986b8
SHA512

46a9280eff90efecb485ff491d43ae4ee62ac2e0ca2a0364b4749c1a4bf60bd49ed7d4dd2c1b9a9aa25e448776e5d172591b5df333c3965af7147631123ce64b
SSDEEP

6144:/Ya6x5gt3OupNIRztp3FXl50iIj74HtMJh9plSNqw7mPONATWEsbSDYv:/YDSt3OX95l5uj8NMJZlSz7mPOO4SDE

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4184-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4184-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3228-147-0x0000000000920000-0x000000000094F000-memory.dmp	formbook
behavioral2/memory/3228-151-0x0000000000920000-0x000000000094F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.exe

pid process

4120 uytjxhzdd.exe
4184 uytjxhzdd.exe

pid	process
4120	uytjxhzdd.exe
4184	uytjxhzdd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.exeNETSTAT.EXE

description	pid	process	target process
PID 4120 set thread context of 4184	4120	uytjxhzdd.exe	uytjxhzdd.exe
PID 4184 set thread context of 3052	4184	uytjxhzdd.exe	Explorer.EXE
PID 3228 set thread context of 3052	3228	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3228 NETSTAT.EXE

pid	process
3228	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

uytjxhzdd.exeNETSTAT.EXE

pid	process
4184	uytjxhzdd.exe
4184	uytjxhzdd.exe
4184	uytjxhzdd.exe
4184	uytjxhzdd.exe
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE
3228	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.exeNETSTAT.EXE

pid process

4120 uytjxhzdd.exe
4184 uytjxhzdd.exe
4184 uytjxhzdd.exe
4184 uytjxhzdd.exe
3228 NETSTAT.EXE
3228 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uytjxhzdd.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4184 uytjxhzdd.exe
Token: SeDebugPrivilege 3228 NETSTAT.EXE

pid	process
3052	Explorer.EXE

pid	process
4120	uytjxhzdd.exe
4184	uytjxhzdd.exe
4184	uytjxhzdd.exe
4184	uytjxhzdd.exe
3228	NETSTAT.EXE
3228	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4184	uytjxhzdd.exe
Token: SeDebugPrivilege	3228	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

file.exeuytjxhzdd.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1060 wrote to memory of 4120	1060	file.exe	uytjxhzdd.exe
PID 1060 wrote to memory of 4120	1060	file.exe	uytjxhzdd.exe
PID 1060 wrote to memory of 4120	1060	file.exe	uytjxhzdd.exe
PID 4120 wrote to memory of 4184	4120	uytjxhzdd.exe	uytjxhzdd.exe
PID 4120 wrote to memory of 4184	4120	uytjxhzdd.exe	uytjxhzdd.exe
PID 4120 wrote to memory of 4184	4120	uytjxhzdd.exe	uytjxhzdd.exe
PID 4120 wrote to memory of 4184	4120	uytjxhzdd.exe	uytjxhzdd.exe
PID 3052 wrote to memory of 3228	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3228	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3228	3052	Explorer.EXE	NETSTAT.EXE
PID 3228 wrote to memory of 880	3228	NETSTAT.EXE	cmd.exe
PID 3228 wrote to memory of 880	3228	NETSTAT.EXE	cmd.exe
PID 3228 wrote to memory of 880	3228	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
"C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe" C:\Users\Admin\AppData\Local\Temp\cjfqwq.l
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
"C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1240

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1372

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1492

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1256

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2944

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2840

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2800

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe"
3⤵
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cjfqwq.l
Filesize
5KB

MD5
880b21b90e22befd4df0d80aba7ff644

SHA1
ebc3d261dc7b28d440786da3a1713f2e10beba5e

SHA256
5ef221dc3ae4d47c1f069885b8e6ffce7531bfa772a6d67d23f92da1afa142c6

SHA512
13005bfa2abe5fe93d7400b806dcf6521b47ea3e93c88f356cc00a249b3fad68ec75541a9f565c5b0652c6f62dcce0bc3c85f4a3e80295775411a211b7ad8b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wndad.e
Filesize
205KB

MD5
aa76268a5e3f86543d2713c18055d0b0

SHA1
5034b6a8301d6733d5f96697a894119ec3b241e0

SHA256
35d310bc108289db31f597e661ed8c7ed1c6acde491c013cbc386ab9088ded2f

SHA512
e879fd4bba33faa3c638f0b510551acc397a2ae3a5ad41c59abc3e03840f9603bc80996c885ea34bb367088a2da098d79f4e9bc84ab71de78479689d8bc9da53

Download Submit
memory/880-145-0x0000000000000000-mapping.dmp

Download
memory/3052-142-0x0000000008290000-0x00000000083E8000-memory.dmp

Filesize
1.3MB

Download
memory/3052-152-0x0000000002D90000-0x0000000002E2B000-memory.dmp

Filesize
620KB

Download
memory/3052-150-0x0000000002D90000-0x0000000002E2B000-memory.dmp

Filesize
620KB

Download
memory/3228-146-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/3228-143-0x0000000000000000-mapping.dmp

Download
memory/3228-147-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download
memory/3228-148-0x0000000001280000-0x00000000015CA000-memory.dmp

Filesize
3.3MB

Download
memory/3228-149-0x00000000010C0000-0x0000000001153000-memory.dmp

Filesize
588KB

Download
memory/3228-151-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download
memory/4120-132-0x0000000000000000-mapping.dmp

Download
memory/4184-141-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/4184-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/4184-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads